Helped run the software equity research franchise here at Citi. Very excited to have Okta on stage with me, and actually very thrilled to have Monty Gray, head of EVP of CorpDev, head of CorpDev at Okta, and it's exciting times in cyber, very exciting times in identity security, so very serendipitous for you to join us here. I know maybe not many investors are familiar with you, so I'd love to kind of level set with the audience here in terms of your background and the seven years that you've spent heading up the CorpDev effort at Okta, and then we can take it from there.
Sure. So thanks for having us over here.
Oh, and Dave Gennarelli, the man, the legend running the IR effort.
Thanks .
There you go.
Yeah, thanks for having us.
The man that needs no introduction.
I'm responsible. I've been at Okta for seven years, responsible for corporate development, which includes company strategy, M&A, technology partnerships, we have some investments, and just broader ecosystem engagement for the company. So glad to be here.
Excellent. I want to very much start out with the M&A philosophy, the M&A process. You've done a deal in the Privileged Access space this year. You've had one of your principal peers/competitors in this space now get acquired, or at least in talks of being acquired by Palo Alto Networks. So at the very highest level, can you talk to us about how your M&A process in terms of asset selection, asset quality, asset size have changed, and how the Palo Alto Networks CyberArk tie-up is going to potentially add further change or influence or impact further change in this process and philosophy?
Yeah, so I'll say, as long as I've been doing this, even before I joined Okta, this is one of the busiest times that we're seeing in terms of just M&A activity out in the market, right? And from the security standpoint, it's very active. We're very busy. We tend to be extremely proactive and diligent when we think about spaces that we acquire. We announced an acquisition last week at our earnings in the Privileged Access space, small acquisition. I would say that the profile that tends to work well for us as a company are things that accelerate our roadmap, right? With the exception of Auth0 about four years ago, that was more of like getting into a different market category and a scaled market category, but the thing we look at now is like, how do we accelerate our roadmap? How do we understand the ecosystem?
And again, given the purview of what I have, I have a lot of different ways to touch the ecosystem through partnerships and integrations. And that's the benefit of having, you know, being a company like ours. We're an identity-related company where you just have integrations to everybody in the company, in the ecosystem. So I get a chance to really meet a lot of different companies there. I'll say the security part is dynamic. There's a lot of companies that are trying or a lot of different aspects, especially with security trends, agentic trends that are happening now, agentic AI. And so we're constantly looking at ways that we can accelerate, inform our roadmap with that as well. And there's just a lot of good talent out there.
I think that's a great jumping-off point to talk about AI and agentic AI and what that portends for the business in the next three to five years. So, you know, can you walk us through some of the main bets that Okta is making on the organic side and, you know, the asset profile and the intellectual property that you're seeing out there to help accelerate that roadmap? So walk us through kind of some of that industrial logic.
Sure. So I think that to answer that, let me just paint a picture of kind of like what our philosophy and strategy is here. We think of identity as a pretty broad platform, and we call this Identity Security Fabric. What does that mean? It means we have at one end, at the top end of it is like all the different types of users within an organization. So it could be an employee, it could be a business partner, it could be contingent labor, and now it could be an agentic AI, right? And imagine all those just having access to all the different resources available within an organization. Resources can be SaaS application, it could be a database, it could be cloud infrastructure, Kubernetes, even down to on-prem. And once we're supporting that whole paradigm, we're then able to have different use cases that hang off that.
There's an access use case, there's a governance use case, Privileged Access use cases, posture management. So we think of that kind of from a holistic perspective. And to your question, in that world, it's what do we have to do to actually extend that into, as I mentioned, agentic AI, right? All the basic principles still exist of an agentic AI has access on behalf of a person. How do you do this in a secure, compliant manner? And how do we enable our customers to be able to adopt these technologies? What happens today, by and large, is a lot of customers will adopt agentic AI. They'll basically just give them an overprivileged service account or something. That creates a ton of risk. We're trying to narrow that down to basically what are the policies and entitlements that a person would have.
We extend that to what an agent would have. To do that effectively, you need to actually have visibility into what an agent is doing. You need to grant them Privileged Access and then have all the reporting that comes along with it. And so we view that as just another, you know, our roadmap is something that's aligned with kind of that strategy that we have right there. Obviously, there's a lot of different deployment modalities and different ways that you can integrate with agents, and those are things that we're looking at. We're starting to see some innovation happen there from the early startups, but those are very early. Those are like still really small companies.
I have this debate with investors around, hey, in the non-human identity sphere and, you know, slapping guardrails around how that is going to be managed from an architectural standpoint in an organization. Is it more of a governance problem or is it more of a privilege problem? You used the term overprivileged earlier. So, you know, bearing in mind that you have both sets of intellectual property in the form of, you know, what you're selling to customers in OIG and what you've been selling to customers from a Privileged Access perspective. But I'd love to get your feedback on, you know, what you're seeing, but also what customer reaction has been to, hey, is the agent problem more of a governance and a role-based access authorization issue, or is it a pure privilege curtailment dynamic?
We actually think of it. There's even a visibility problem ahead of that, which is posture, right? So we think of it as actually cutting across all those different aspects. So, for example, like what agents exist within the organization, what do they have access to? Let's just baseline what's happening within an organization. That's really just a visibility and posture question. And then from there, it's like, how do you provide the right level of privilege to actually narrow the scope of what these agents have access to within the organization? And then from there, it becomes a governance one, which is, is this really happening the way we think it's going to happen and can I report on that?
So we're starting to actually find that this cohesive platform is where it really starts to light up because the identity complexity is something that's much more than it was before with just humans in there. So it kind of cuts across all three. It's not just one or the other, but we do see, you know, historically what people do without having identity sitting in there is we're just kind of overprivileged. So the word privilege does jump out.
Even from a technology perspective, I'm wondering if you can opine on how much of this new pain point can be solved by repurposing existing capabilities that you have for a net new use case or if it fundamentally requires a fresh new approach?
Yeah, it's a little.
Can you retrofit OIG?
Sure.
Okta PAM.
I think it goes down to there's two different ways agents will actually interact with systems within an organization. One way is they will mimic human behavior. In that world, you still have sessions, you still have tokens, you still have the interactive paradigms, which are very similar to what a person would do. And that's where you can actually repurpose some of the tooling to support that. There's some nuance to it, right? Can you actually have a disconnected session where someone can go off and do some work, come back and have a human in the loop, things like that? And we support those. Can you have a directory, for example, our directory today is primarily humans in there. Can we extend that to actually support non-humans into our directory? So there is some additional roadmap.
The other interaction paradigms tend to be more, you know, I'll say below the line, which is more API-centric. So are these agents actually going to a native API? Are they calling an MCP server, for example? And in that world, we spend a lot of time working with standards bodies to actually support, you know, the OpenID standard, things that are adjacent to. So the OpenID standard enables us to actually use an IDP to actually give access to things that actually happen at the system level. And that's where there's still some roadmap around those, and that's where we're spending a lot of time and energy right now.
And then just tying this back into sort of some of the commercial implications. So as I alluded to kind of in my opening remarks that the Palo Alto CyberArk tie-up, you know, initial impressions on the transaction implications as one of your peers just sort of gets swooped away. I know there's an ethos at the company about being independent and being a standard bearer of independence. You know, how are you internalizing that just from a go-to-market and competitor and competitive perspective?
Yeah, I think you nailed one of them, which is, you know, our philosophy. There tends to be two philosophies that kind of exist in the market today. One is, is there a kind of a full suite or platform approach? And then the other is what we do, which is, you know, supporting best of breed and enabling best of breed. And in that world, we play, you know, we integrate with the ecosystem. We have commercial relationships with different parties in the ecosystem. When you think about the control plane for security, there's endpoint providers, network providers, there's cloud infrastructure providers, you know, in addition to an identity provider. And that's the world we operate in, which is like the breadth and depth of integrations and those use cases that cut across. We do well and we focus there. So that's kind of one area.
The second would, I would say, there's a big coexistence. I get this question quite a bit around competition, like how are we versus Microsoft or versus CyberArk from our PAM perspective. We tend to coexist, right, with these areas because they tend to support, you know, a different type of the environment, whether it's an on-prem part of the environment. What we do well is more on the cloud-native side of the environment. So there tends to be kind of a coexistence there. I would say specific to the transactions early, you know, they haven't closed yet. It's going to take a while to close. We have good relationships with both companies. So I think it's still very early from that standpoint.
Before we shift gears, I want to talk about Auth0. You know, that was a pretty transformational move for the company. So a lot of lessons learned, a lot of perspectives gained. You know, four years later, you know, where are we with respect to Auth0's core capabilities being infused and/or borrowed from and cross-pollinated across the portfolio? And then relatedly, you know, we talked a lot about the enterprise era of privilege and governance, but how does Auth0 and those capabilities, how do those play into the agentic AI opportunity, especially from a consumer-facing application standpoint?
Yeah, so for.
That's a mouthful.
That's a lot there. So for the benefit of the room, Auth0 participates in the market as customer identity, right? And traditional Okta, which everyone knows, is more on the workforce identity side. There is an interaction between those two properties. So on the customer identity side, there tends to be, you know, I would say two major use cases that exist there. One would be if you're a brand and you're a B2C brand and you want to engage with your customers, Auth0 plays well there. Auth0 is a developer-focused product, a lot of developer adoption there. And so if you're a B2C, you're probably CTO, head of product is probably interacting with it. The other part of Auth0, and this is relevant for the conversation, is B2B SaaS.
So if you're a B2B SaaS vendor and you're looking to figure out how to do authentication and have your directory and your user store, Auth0 can provide that for you so that you can focus on your SaaS application. In that world, there's a nice interaction between what Okta has, right? Okta is the workforce IDP of a given customer, but then the B2B SaaS that the customer is adopting can also be powered by Auth0. So we sit on both sides of it in that world. And in that world, you can get some unique interactions that happen between both of those systems.
We spend a lot of time and effort just evangelizing the benefits of actually, you know, to an ISV, if you're an independent software vendor, not only does Auth0 take care of your directory and authentication and single sign-on and all things to make your enterprise ready, but you get some benefit by going into the Okta ecosystem, which your customers will be adopting. There's a standards approach we've taken there. We announced that at our conference, you know, almost a year ago, which is we're going to do this in a standardized manner, so it's not proprietary. We just think we'll have the best reference implementation of those standards to make these systems talk to each other.
And related to that, before we move on, you know, we generally have this working thesis that generative AI is going to have an explosive impact from a consumer and consumerized end user perspective. So Auth0 clearly has historically had a play there, right? How does that dynamic get turbocharged as a brand new voluminous body of consumer-focused generative AI applications burst on the scene? Where does Auth0 play in that? Is that, you know, a pipe dream? Is that, you know, me being pollyannish, or is that something that is a very tangible opportunity that you can chase?
Yeah, so Auth0, I forgot to answer a second part of your question, has an offering that we announced, Auth for Agentic AI. So what is that? That's basically if you're building an AI agent as part of your SaaS application, there's some unique aspects to authentication that matter there, right? We talked about MCP being part of it, how you can interact with MCP, which is how you get access to data. But also, if you think about the disconnected nature, if an agent's going to go on behalf of a person, you want to have a disconnected session, then come back and do human in the loop. If you want to do RAG retrieval for a different data source, Auth0's offering helps support all these different use cases that are specific for a generative AI.
And so that's something that we feel is, you know, we announced that probably about a year ago.
Right.
About a year ago, and that's been something we've seen a lot of good early adoption from developers. So we think there's going to be a lot of tailwinds on that part of it.
Yeah, I think one of the big debates for investors coming into the conference and inquiring minds are really trying to understand and appreciate is how AI and the enterprise or the operationalization of AI gets monetized in the organization and for enterprise software vendors. So from your perspective, you know, historically you've been conventionally a seat-based model, right? You know, how does that change? How does that evolve? How does that get disruptive? And what are some of the mitigating forces that you're thinking about in terms of, you know, infusing some of these new pricing models and modalities in the business to, you know, mitigate that?
So I'll say it's still early, right? And our approach on this one is when I describe the Identity Security Fabric and we're talking about how we extend the value proposition and use cases to agentic AI in addition to people, that's part of this, right? We view the identity complexity becoming even more important today as a result of this than it was prior. We already discussed the privilege and governance complexities there. So we're positioning ourselves to support both of those. I think it's still very early on the pricing front of like how do we price the agentic AI? Something that we're listening to our customers right now and we're working with some early adopters on, but it's still pretty early, but we like how we're positioned on both sides of it.
I'll say even as Okta, like as a company, as we adopt AI on our side, we're still squinting at, is it a force multiplier productivity or is it something that's going to be a replacement? We're still early in that cycle of understanding kind of what's really going to happen in terms of the seat-based pressure actually happening versus moving that over to more software-based and usage-based. But right now we're still seat-based. There's a lot of durability in that model, but it's something that, from a product offering, we're positioning ourselves to support both.
Because you brought it up, I'm very curious, how is Okta AI-ing itself?
Yeah. We spend a lot of time as kind of like in the C-suite talking, discussing, and understanding where the value is going to come from. The early value is customer success. You know, we're making our customer support reps more productive with it. Obviously, we've unlocked a lot of the different capabilities for all the employees to use the tools to become more productive themselves, whether it's through the different LLMs that are available. We're looking at different use cases to support in the marketing organization, for example, and to make people more, but this is all under the umbrella of like how do you get people more productive and more effective versus like it's replacing the work today, but it's something that's a constant conversation. It's rapidly evolving, and we're also looking at how do we do this in a secure manner.
So we have two conflicting kind of philosophies that hit within the organization. You know, for the past couple of years, it's been everything has been around security and hardening our security organization. Now, how do we actually still maintain that, but also go adopt AI to become more productive? And so we're learning as we go through this. We're actually learning ourselves as we build up our own stack internally for doing AI tooling and doing it with security and privilege and governance and visibility at the forefront of it. And then we can take that and talk to our customers.
Dave, I want to pull you into this discussion. So just working on some of the themes on efficiency, organizational efficiency, well, organizational productivity, not necessarily incremental organizational efficiency by use of AI. But if we just talk about core organizational efficiency at Okta, I mean, just mammoth moves in the way the cost structure has been streamlined. I'm wondering if you can kind of spend a little bit of time talking to us about, hey, you know, a lot of the efficiencies have been manifested in the model. We can see that in the operating margin performance that has been blow out pretty consistently for cash flow yield, free cash flow conversion. Where are you in that cycle of cost realignment, but also kind of going back to the well and reinvesting into the business against a lot of the opportunities that we talked about from a secular perspective?
Yeah, we've made great progress over the last two, probably two and a half years now. So getting margins into the mid to high 20s for operating margins and free cash flow margins becoming profitable. So great strides. And it's really all within the framework we've used from the get-go, and that's around the Rule of 40. And we have been at or above Rule of 40, you know, since going public. And that is still our framework going forward. So as growth is moderated, we have really, our top-line growth is moderated, really punched up to the operating margins. Having said that, now we are still keenly focused on re-accelerating top-line growth. So still doing that all within the guise or framework of Rule of 40.
We've never said we're dogmatic about hitting 40 or above, but that is still how we look about how we reinvest in the business and how we want to, you know, look at where our investments are. And those investments this year and probably for the foreseeable future have been on the new product initiatives. So we've talked about new products that are contributing somewhere, you know, anywhere from 15%-20% of bookings over the last several quarters. So we think that should continue to advance forward. We've talked about investments with our partners where, you know, just even this last quarter, all 20 of our top 20 deals were partner touched. So bigger focus on that side and our go-to-market specialization.
So that's a big undertaking this year where we moved from a single point of entry, a single AE going into our larger customers to bifurcating the sales team into really meeting our customers where they are in the buying centers. So the IT and security-focused buyers buying mostly our workforce products and then the developers buying the Auth0 product. So we're two quarters into that. Feel like we've made really good progress, seen some good data points, some green lights, and gives us more confidence as we move into the back half of the year or bigger quarters of the year that sets us up for success on that. But those are the frameworks of the investment areas that we're contemplating as we really, again, are focused on re-accelerating that top line.
And maybe to ask it more bluntly, should we expect a material departure from the current cadence of OpEx investment? So we sort of qualitatively talked about where you are focusing, but just from a quantum standpoint, should we expect a material deviation?
We haven't gotten into next year's guidance just yet. I think as what the next two quarters are really the most telling quarters for us as we think about where top line is moving, the investments that we have made, how those are trending and how we need to dial those in as we go forward. I don't think there's going to be a big change in terms of where those investments are. It's a matter of to what degree. You know, we've come a long way on the margin side. They're in a very healthy zone right now. We think we can be able to continue to have healthy margins as we invest for top-line growth.
Historically, within the go-to-market organization, you know, there has been a lot of change. There has been a lot of focus in, you know, again, the GTM specialization this year has been a huge mandate. I'm wondering if you can talk a little bit about, you know, the downstream impacts of some of that specialization from rep tenure, rep capacity, timeframe to ramp. You know, can you share some perspectives on how some of those dynamics have trended internally, just kind of given the change that's been infused in the go-to-market motion?
Yeah, those are some of the green lights that I mentioned earlier. Just we think about ramp and tenure, those continue to be at multi-year highs. We think about, you know, one of the things we wanted to make sure we guard against in this transition is attrition. So attrition has been at a very healthy rate, but ultimately the reason for the change is to increase productivity with the sales team. So we're seeing good trends on that side. We're not saying mission accomplished yet at this point.
Definitely more work to do, especially as we, again, head into our biggest quarters of the year, Q3 and Q4, but feel like it's definitely on the right track. It gives us more confidence as we move through the year in the sense that we don't need to make big wholesale changes in what we've done so far, but feel like, yeah, we sure can do some fine-tuning here and there, but definitely on the right track.
Dave, you mentioned you are, as an executive team, very keenly focused on re-accelerating the top line. What are the ingredients that are going to go into that?
I'd say those three initiatives that I talked about, the new products that will continue to be the focus.
Maybe specifically on the new products. I know OIG has had a lot, you know, inflecting traction, PAM, but maybe down to the brass tacks, you know, what are going to be some of those needle-mover dynamics to get net retention rates revving back up again to re-accelerate R PO, to then re-accelerate revenue?
Yeah, well, we've been in a market where we've been under more pressure on seats. So we talked about this COVID cohort that's now just flushing out where companies basically overbought on their seats and/or MAUs really on both sides of our business. So we have been successful as we've really expanded the portfolio quite a bit over the last few years. We are selling more products to customers where in cases where they are, you know, maybe in some cases have fewer seats as they come up for renewals as they realign their companies or maybe just their expectations on seat growth more so over the next three years is not going to be anywhere near where their last contract was. So the good news is, yeah, we've had, we have products to make up that seat issue.
So as we look at just how we grow going forward, I think it's still going to be more on the product side and those new products. So it's still going to be healthy core business from SSO to MFA and passwordless as well. Newer products like governance is easily our biggest product within that new product portfolio. Then I'd say the other products, it's kind of many, many products kind of tied for second in terms of what they're contributing. And that's Identity Security Posture Management, Identity Threat Protection with Okta AI, Privileged Access , which now the acquisition we just announced last week is really, we think it's going to increase the how we get to the table and increase the use cases that we're able to bid for. So that's going to be a big part of it.
That brings to mind deal sizes and growth in deal sizes. There has been consistent evidence that more of the business momentum has been coming from large deals, which is fantastic. So, you know, when you think about planning and forecasting the business with a much chunkier, robust portfolio where your lands are getting a little bit larger, how are you thinking about that from a forecasting and planning perspective, but also from a deal cycle perspective? It's great that, you know, a salesperson has so much in the bag to sell, but how do you manage some of this potential deal cycle elongation from a customer standpoint who wants to diligence these products and maybe has taken a little bit longer, which stretches the whole conversation out?
Yeah, it hasn't changed that much. So as we look at, if you can think of our roughly 20,000 customer base, roughly 5,000 customers are $100K plus customers in terms of ACV. Those $100K customers contribute north of 80% of our total ACV. And it's been like that for some time. So we are, I'd say, a little more focused on the quality over quantity of customers. Having said that, we're certainly not satisfied with where we are in terms of new customer acquisition. We want to continue to fill that top of the funnel, which will ultimately lead into the NRR growth as well. And I should have said in that NRR conversation, what has been very stable and healthy over time is the gross retention. So that's been a very stable and healthy metric for us for some time.
That NRR pressure is really coming from that COVID cohort of customers.
I want to talk to you a little bit about the international business. At the time you did Auth0, that really turbo-boosted your international presence because Auth0 was sort of uniquely more international. Now that sort of everything's been digested, international has been undergrowing the US. I'm wondering if you can give us some lens on why that's the case, you know, what's happening maybe in some of these international markets that is out of your control and, you know, some of the things that are potentially in your control to really re-energize the growth?
Yeah, we should be growing faster there. The dynamics in the international markets are really not that different from the U.S. market. There isn't kind of a different set of competitors in those markets. So for us, it's more about focus and resources. We're really trying to concentrate on the kind of top 10 countries in the world that are really going to make a difference instead of trying to go far and wide. We're trying to just be a little more focused in that area. So I'd say it's just more about getting better execution within those particular regions.
Monty, just flipping back to you, you talked about, you know, also having the mandate of running your partnerships and integration, so having a lot of insight into, you know, what your adjacent peers are doing there. There has been a tremendous amount of improvement in the partner-driven business for Okta in the last 12 months to 24 months. What next steps of refinements are due to increase that mix where, you know, more partners are sourcing more business for you and that becomes more of a force multiplier for the business?
Yeah, that's a good question. So we spend, that actually relates to international as well. There's a big regional part to it. So we're trying to meet our customers where they want to buy today. And that tends to be in marketplaces. So AWS is a big partner of ours. We've talked about that for the past few quarters. That continues to do well for us. And then with some of the GSIs, other large partners of ours today, right? And when you think about a partner itself, there's a couple of different motions that exist there, right? There's kind of co-sell, there's co-deliver, and then you kind of get into co-innovate with the partners. And what we're finding with the partner conversations is like it spans the spectrum of all those things today, right? Partners are coming to us and it's less of a transactional relationship.
It's more of a, how do we provide joint customer value relationships? So for the large GSIs, we're having the same conversations we are here about agentic AI, right, on the co-innovate side. And that's something that's new that they're all interested in. And on the co-sell side, that's something that we've been activating and been spending a lot of time focusing on. And then obviously on the co-deliver side, making our customers the most successful they can be. And so we have good incentive alignment with the GSIs. I'd say over the past year to 18 months, that's been something that we focus and prioritize as a company. And we think that's going to be another lever that'll help us, particularly with international one.
So when we think of international as an opportunity for us to grow going forward, this will be a big way that we actually lean into it.
I want to shift gears to talking about the U.S. public sector business. That has been remarkably strong for Okta, and that's in spite of all of the gyrations and, you know, the five stages of grief I think all investors went through, with DOGE is happening and DOGE is not happening and cuts are happening and this and that, so just from a U.S. public sector, excuse me, U.S. public sector perspective, you know, to what would you attribute Okta's, you know, outsized success relative to some of your other verticals, and, you know, how much more opportunity remains? I appreciate it's a very Byzantine space to operate in, so, you know, again, very interesting and robust levels of consistent success in that vertical that I'd love to understand why.
I'd say it goes back several years to the decision to make the investments and getting to now FedRAMP High for civilian agencies and IL4 ability to bid on IL5 opportunities within the DOD section as well. So, and having a great team in DC that's executing against this opportunity as well. So 90 days or 100 days ago, we were, I think, rightly concerned with what was going on in the whole Fed space. And I'd say we've been pleasantly surprised on both sides of the house where the civilian agencies, yeah, we did see maybe a little more disruption and uncertainty and where there was a gap in terms of the seats that they had purchased in their last contract to what they were coming up for renewal on, being able to make up for that with new products.
Getting back to, you know, parity and then some for some of those contracts. And then I'd say more success on the DOD side because we are solving for the biggest things that they're trying to solve for, for better security, greater efficiencies, kind of across the board. And having those certifications gets us at the table. And the modernization projects that are going on across the Fed are pretty significant. So I talked to our Fed team quite a bit this quarter just to understand some of those bigger deals going on. And they're very optimistic about Okta's role and how we can help the government be a little more efficient as we go forward.
And this is largely a tool sprawl rationalization effort, which naturally brings modernization, but is that tactically sort of the most tangible dynamic?
Yeah, from initiatives like Zero Trust to other mandates for less and less customized software, more off-the-shelf software.
Last question for the both of you, an easy-ish one. I give you a magic wand. What is the one concern or misconception that you think investors have that you could wand away?
I think it tends to be the competitive one where I get this question quite a bit as it pertains to Microsoft or even now CyberArk and Palo Alto, which is, it's an either/or conversation. You know, some of our largest integrations are actually with Microsoft, and so it tends to be more of a co-exist, and that seems to be working for us.
Ditto. I get that quite a bit.
I like it. Well, thank you very much. Time flies when you're having fun.
Thank you.
Thank you.